How do I detect if the public key in a digital certificate is modified?
Alberto last edited by
I know how the basic process of digital certificate, but how do I detect if the public key in a digital certificate is modified?
The digital signature underneath the certificate - generated by the Certificate Authority (CA) that issued the certificate - will not verify if the public key is changed. The only way someone could "change" the public key without the certificate failing verification is if the adversary compromises a trusted CA, or maybe more exactly your CA depending on how closely you inspect the certificate.
In more detail, the CA has a private key in possession and the corresponding public key is installed in all operating systems and browsers. The CA uses the private key to sign a certificate and then the browser / OS checks the signature using the trusted public key. If the signature is correct, the public key in the certificate cannot have been changed.
It is possible that more intermediate certificates are used, where the parent certificate can be used to verify the child certificate. This is called a chain of trust, starting with a leaf certificate and ending with a certificate in the trust store.